Hello, Did anyone ever discuss this in more detail, or reply to it? I couldn't find anything in the archives. I have also wondered about this for a while, whether or not using RSAAuthentication is really more secure than just using PasswordAuthentication.
All, I apologize outright for my ignorance. This may be a topic that has already been discussed, or may even be a non-issue. However, I not am seeing a good solution, so I am asking this list. My understanding is that RSAAuthentication is most secure, because it requires a username, passphrase, and an RSA key. Thus I would want to use this auth mechanism over PasswordAuthentication, because it only requires a username and password. Obviously I don't want to use RhostsAuthentication, or even RhostsRSAAuthentication, as these all are less secure, relying on a .rhosts/ .shosts mechanism. It appears to me though, that the inherent weakness in using .rhosts/.shosts files for authentication is also a concern when using RSAAuthentication. If a box is allowing .rhosts/.shosts auth, and an intruder is able to overrun some buffer in a program somewhere, and add this file to a users home directory, they can get access to the box. Theoretically then, they could overrun some buffer in a program somewhere and add a .ssh directory. When using RSAAuthentication, the only thing that is consulted for auth is the authorized_keys on the server, and the identity key on the client, thus installing one's own .ssh directory would give them access to the box. I see the problem actually residing in the identity key's creation. If this identity key could optionally be non-portable, perhaps tied to the MAC address, or IP address, (less convienient for sure), then a key could not arbitrarily be copied from one machine (evil.org) to another machine (victim.org). Am I forgetting something, or is there an option somewhere that I am not aware of? Thanks, ERic Harrison [EMAIL PROTECTED]
